Red Hat Summit Red Hat SummitApoyoConsolaDesarrolladoresIniciar una pruebaContacto

Este contenido no está disponible en el idioma seleccionado.

Chapter 2. Customer Cloud Subscriptions on Google Cloud

OpenShift Dedicated provides a Customer Cloud Subscription (CCS) model that allows Red Hat to deploy and manage clusters in a customer’s existing Google Cloud account.

2.1. Understanding Customer Cloud Subscriptions on Google Cloud
Copiar enlace

Red Hat OpenShift Dedicated provides a Customer Cloud Subscription (CCS) model that allows Red Hat to deploy and manage OpenShift Dedicated into a customer’s existing Google Cloud account. Red Hat requires several prerequisites be met in order to provide this service.

Red Hat recommends the usage of a Google Cloud project, managed by the customer, to organize all of your Google Cloud resources. A project consists of a set of users and APIs, as well as billing, authentication, and monitoring settings for those APIs.

It is recommended for the OpenShift Dedicated cluster using a CCS model to be hosted in a Google Cloud project within a Google Cloud organization. The organization resource is the root node of the Google Cloud resource hierarchy and all resources that belong to an organization are grouped under the organization node. Customers have the choice of using service account keys or Workload Identity Federation when creating the roles and credentials necessary to access Google Cloud resources within a Google Cloud project.

For more information about creating and managing organization resources within Google Cloud, see Creating and managing organization resources.

2.2. Customer requirements
Copiar enlace

OpenShift Dedicated clusters using a Customer Cloud Subscription (CCS) model on Google Cloud must meet several prerequisites before they can be deployed.

2.2.1. Account
Copiar enlace

  • The customer ensures that Google Cloud limits and allocation quotas that apply to Compute Engine are sufficient to support OpenShift Dedicated provisioned within the customer-provided Google Cloud account.
  • The customer-provided Google Cloud account should be in the customer’s Google Cloud Organization.
  • The customer-provided Google Cloud account must not be transferable to Red Hat.
  • The customer may not impose Google Cloud usage restrictions on Red Hat activities. Imposing restrictions severely hinders Red Hat’s ability to respond to incidents.
  • Red Hat deploys monitoring into Google Cloud to alert Red Hat when a highly privileged account, such as a root account, logs into the customer-provided Google Cloud account.

  • The customer can deploy native Google Cloud services within the same customer-provided Google Cloud account.

    Note

    Customers are encouraged, but not mandated, to deploy resources in a Virtual Private Cloud (VPC) separate from the VPC hosting OpenShift Dedicated and other Red Hat supported services.

2.2.2. Access requirements
Copiar enlace

  • To appropriately manage the OpenShift Dedicated service, Red Hat must have the AdministratorAccess policy applied to the administrator role at all times.

    Note

    This policy only provides Red Hat with permissions and capabilities to change resources in the customer-provided Google Cloud account.

  • Red Hat must have Google Cloud console access to the customer-provided Google Cloud account. This access is protected and managed by Red Hat.
  • The customer must not utilize the Google Cloud account to elevate their permissions within the OpenShift Dedicated cluster.
  • Actions available in the OpenShift Cluster Manager must not be directly performed in the customer-provided Google Cloud account.

2.2.3. Support requirements
Copiar enlace

  • Red Hat recommends that the customer have at least Enhanced Support from Google Cloud.
  • Red Hat has authority from the customer to request Google Cloud support on their behalf.
  • Red Hat has authority from the customer to request Google Cloud resource limit increases on the customer-provided account.
  • Red Hat manages the restrictions, limitations, expectations, and defaults for all OpenShift Dedicated clusters in the same manner, unless otherwise specified in this requirements section.

2.2.4. Security requirements
Copiar enlace

  • The customer-provided IAM credentials must be unique to the customer-provided Google Cloud account and must not be stored anywhere in the customer-provided Google Cloud account.
  • Volume snapshots will remain within the customer-provided Google Cloud account and customer-specified region.

  • To manage, monitor, and troubleshoot OpenShift Dedicated clusters, Red Hat must have direct access to the cluster’s API server. You must not restrict or otherwise prevent Red Hat’s access to the OpenShift Dedicated cluster’s API server.

    Note

    SRE uses various methods to access clusters, depending on network configuration. Access to private clusters is restricted to Red Hat trusted IP addresses only. These access restrictions are managed automatically by Red Hat.

  • OpenShift Dedicated requires egress access to certain endpoints over the internet. Only clusters deployed with Private Service Connect can use a firewall to control egress traffic. For additional information, see the Google Cloud firewall prerequisites section.

2.3. Required customer procedure
Copiar enlace

The Customer Cloud Subscription (CCS) model allows Red Hat to deploy and manage OpenShift Dedicated into a customer’s Google Cloud project. Red Hat requires several prerequisites to be completed before providing these services.

Note

The following requirements in this topic apply to OpenShift Dedicated on Google Cloud clusters created using both the Workload Identity Federation (WIF) and service account authentication types. Red Hat recommends using WIF as the authentication type for installing and interacting with an OpenShift Dedicated cluster deployed on Google Cloud because WIF provides enhanced security.

For information about creating a cluster using the WIF authentication type, see Additional resources.

For additional requirements that apply to the WIF authentication type only, see Workload Identity Federation authentication type procedure. For additional requirements that apply to the service account authentication type only, see Service account authentication type procedure.

Prerequisites

Before using OpenShift Dedicated in your Google Cloud project, confirm that the following organizational policy constraints are configured correctly where applicable:

  • constraints/iam.allowedPolicyMemberDomains

    • This policy constraint is supported only if Red Hat’s Directory Customer ID’s C02k0l5e8 and C04j7mbwl are included in the allowlist.

  • constraints/compute.restrictLoadBalancerCreationForTypes

    • This policy constraint is supported only when creating a private cluster with Google Cloud Private Service Connect (PSC). You must ensure that the INTERNAL_TCP_UDP load balancer type is included in the allowlist or excluded from the deny list.

      Important

      Although the EXTERNAL_NETWORK_TCP_UDP load balancer type is not required when creating a private cluster with Google Cloud Private Service Connect (PSC), disallowing it via this constraint will prevent the cluster from being able to create externally accessible load balancers.

  • constraints/compute.requireShieldedVm

    • This policy constraint is supported only if the cluster is created with Enable Secure Boot support for Shielded VMs selected during the initial cluster creation.

  • constraints/compute.vmExternalIpAccess

    • This policy constraint is supported only when creating a private cluster with Google Cloud Private Service Connect (PSC). For all other cluster types, this policy constraint is supported only after cluster creation.

  • constraints/compute.trustedImageProjects

    • This policy constraint is supported only when the projects redhat-marketplace-public, rhel-cloud, and rhcos-cloud are included in the allowlist. If this policy constraint is enabled and these projects are not included in the allowlist, cluster creation will fail.

For more information about configuring Google Cloud organization policy constraints, see Organization policy constraints.

Procedure

  1. Create a Google Cloud project to host the OpenShift Dedicated cluster.

  2. Enable the following required APIs in the project that hosts your OpenShift Dedicated cluster:

    Expand
    Table 2.1. Required API services
    API serviceConsole service namePurpose

    Cloud Deployment Manager V2 API

    deploymentmanager.googleapis.com

    Used for automated deployment and management of infrastructure resources.

    Compute Engine API

    compute.googleapis.com

    Used for creating and managing virtual machines, firewalls, networks, persistent disk volumes, and load balancers.

    Cloud Resource Manager API

    cloudresourcemanager.googleapis.com

    Used for getting projects, getting or setting an IAM policy for projects, validating required permissions, and tagging.

    Cloud DNS API

    dns.googleapis.com

    Used for creating DNS zones and managing DNS records for the cluster domains.

    IAM Service Account Credentials API

    iamcredentials.googleapis.com

    Used for creating short-lived credentials for impersonating IAM service accounts.

    Identity and Access Management (IAM) API

    iam.googleapis.com

    Used for managing the IAM configuration for the cluster.

    Service Management API

    servicemanagement.googleapis.com

    Used indirectly to fetch quota information for Google Cloud resources.

    Service Usage API

    serviceusage.googleapis.com

    Used for determining what services are available in the customer’s Google Cloud account.

    Cloud Storage JSON API

    storage-api.googleapis.com

    Used for accessing Cloud Storage for the image registry, ignition, and cluster backups (if applicable).

    Cloud Storage

    storage-component.googleapis.com

    Used for managing Cloud Storage for the image registry, ignition, and cluster backups (if applicable).

    Organization Policy API

    orgpolicy.googleapis.com

    Used to identify governance rules applied to customer’s Google Cloud that might impact cluster creation or management.

    Cloud Identity-Aware Proxy API

    iap.googleapis.com [*]

    Used in emergency situations to troubleshoot cluster nodes that are otherwise inaccessible.

    This API is required for clusters deployed with Private Service Connect.

2.3.1. Workload Identity Federation authentication type procedure
Copiar enlace

Besides the required customer procedures listed in Required customer procedure, there are other specific actions that you must take when creating an OpenShift Dedicated cluster on Google Cloud using Workload Identity Federation (WIF) as the authentication type.

Procedure

  1. Assign the following roles to the service account of the user implementing the WIF authentication type:

    Important

    The following roles are only required when creating, updating, or deleting WIF configurations.

    Expand
    Table 2.2. Required roles
    Role and descriptionConsole role namePermissions

    Role Admin

    Required by the Google Cloud client in the OCM CLI for creating custom role.

    roles/iam.roleAdmin

    • iam.roles.create
    • iam.roles.delete
    • iam.roles.get
    • iam.roles.list
    • iam.roles.undelete
    • iam.roles.update
    • resourcemanager.projects.get
    • resourcemanager.projects.getIamPolicy

    Service Account Admin

    Required for the pre-creation of the service accounts used by the deployer, support, and Operators.

    roles/iam.serviceAccountAdmin

    • iam.serviceAccountApiKeyBindings.create
    • iam.serviceAccountApiKeyBindings.delete
    • iam.serviceAccountApiKeyBindings.undelete
    • iam.serviceAccounts.create
    • iam.serviceAccounts.createTagBinding
    • iam.serviceAccounts.delete
    • iam.serviceAccounts.deleteTagBinding
    • iam.serviceAccounts.disable
    • iam.serviceAccounts.enable
    • iam.serviceAccounts.get
    • iam.serviceAccounts.getIamPolicy
    • iam.serviceAccounts.list
    • iam.serviceAccounts.listEffectiveTags
    • iam.serviceAccounts.listTagBindings
    • iam.serviceAccounts.setIamPolicy
    • iam.serviceAccounts.undelete
    • iam.serviceAccounts.update
    • resourcemanager.projects.get
    • resourcemanager.projects.list

    Workload Identity Pool Admin

    Required to create and configure the workload identity pool.

    roles/iam.workloadIdentityPoolAdmin

    • iam.googleapis.com/workloadIdentityPoolProviderKeys.create
    • iam.googleapis.com/workloadIdentityPoolProviderKeys.delete
    • iam.googleapis.com/workloadIdentityPoolProviderKeys.get
    • iam.googleapis.com/workloadIdentityPoolProviderKeys.list
    • iam.googleapis.com/workloadIdentityPoolProviderKeys.undelete
    • iam.googleapis.com/workloadIdentityPoolProviders.create
    • iam.googleapis.com/workloadIdentityPoolProviders.delete
    • iam.googleapis.com/workloadIdentityPoolProviders.get
    • iam.googleapis.com/workloadIdentityPoolProviders.list
    • iam.googleapis.com/workloadIdentityPoolProviders.undelete
    • iam.googleapis.com/workloadIdentityPoolProviders.update
    • iam.googleapis.com/workloadIdentityPools.create
    • iam.googleapis.com/workloadIdentityPools.delete
    • iam.googleapis.com/workloadIdentityPools.get
    • iam.googleapis.com/workloadIdentityPools.list
    • iam.googleapis.com/workloadIdentityPools.undelete
    • iam.googleapis.com/workloadIdentityPools.update
    • iam.workloadIdentityPools.createPolicyBinding
    • iam.workloadIdentityPools.deletePolicyBinding
    • iam.workloadIdentityPools.searchPolicyBindings
    • iam.workloadIdentityPools.updatePolicyBinding
    • resourcemanager.projects.get
    • resourcemanager.projects.list

    Project IAM Admin

    Required for assigning roles to the service account and giving permissions to those roles that are necessary to perform operations on cloud resources.

    roles/resourcemanager.projectIamAdmin

    • iam.policybindings.get
    • iam.policybindings.list
    • resourcemanager.projects.createPolicyBinding
    • resourcemanager.projects.deletePolicyBinding
    • resourcemanager.projects.get
    • resourcemanager.projects.getIamPolicy
    • resourcemanager.projects.searchPolicyBindings
    • resourcemanager.projects.setIamPolicy
    • resourcemanager.projects.updatePolicyBinding

  2. Install the OpenShift Cluster Manager API command-line interface (ocm).

    Important

    OpenShift Cluster Manager API command-line interface (ocm) is a Developer Preview feature only. For more information about the support scope of Red Hat Developer Preview features, see Developer Preview Support Scope.

  3. To authenticate against your Red Hat OpenShift Cluster Manager account, run one of the following commands.

    1. If your system supports a web-based browser, run the Red Hat single sign-on (SSO) authorization code command for secure authentication:

      Syntax

      $ ocm login --use-auth-code
      Copy to Clipboard Toggle word wrap

      Running this command will redirect you to the Red Hat SSO login. Log in with your Red Hat login or email.

    2. If you are working with containers, remote hosts, and other environments without a web browser, run the Red Hat single sign-on (SSO) device code command for secure authentication:

      Syntax

      $ ocm login --use-device-code
      Copy to Clipboard Toggle word wrap

      Running this command will redirect you to the Red Hat SSO login and provide a log in code.

      To switch accounts, logout from https://sso.redhat.com and run the ocm logout command in your terminal before attempting to login again.

  4. Install the gcloud CLI.
  5. Authenticate the gcloud CLI with the Application Default Credentials (ADC).

2.3.2. Service account authentication type procedure
Copiar enlace

Besides the required customer procedures listed in Required customer procedure, there are other specific actions that you must take when creating an OpenShift Dedicated cluster on Google Cloud using a service account as the authentication type.

Procedure

  1. To ensure that Red Hat can perform necessary actions, you must create an osd-ccs-admin IAM service account user within the Google Cloud project.

    The following roles must be granted to the service account:

    Expand
    Table 2.3. Required roles
    RoleConsole role name

    Compute Admin

    roles/compute.admin

    DNS Administrator

    roles/dns.admin

    Organization Policy Viewer

    roles/orgpolicy.policyViewer

    Service Management Administrator

    roles/servicemanagement.admin

    Service Usage Admin

    roles/serviceusage.serviceUsageAdmin

    Storage Admin

    roles/storage.admin

    Compute Load Balancer Admin

    roles/compute.loadBalancerAdmin

    Role Viewer

    roles/viewer

    Role Administrator

    roles/iam.roleAdmin

    Security Admin

    roles/iam.securityAdmin

    Service Account Key Admin

    roles/iam.serviceAccountKeyAdmin

    Service Account Admin

    roles/iam.serviceAccountAdmin

    Service Account User

    roles/iam.serviceAccountUser

  2. Create the service account key for the osd-ccs-admin IAM service account. Export the key to a file named osServiceAccount.json; this JSON file will be uploaded in Red Hat OpenShift Cluster Manager when you create your cluster.

2.4. Red Hat managed Google Cloud resources
Copiar enlace

Red Hat is responsible for creating and managing the following IAM Google Cloud resources.

Important

The IAM service account and roles and IAM group and roles topics are only applicable to clusters created using the service account authentication type.

2.4.1. IAM service account and roles
Copiar enlace

The osd-managed-admin IAM service account is created immediately after taking control of the customer-provided Google Cloud account. This is the user that will perform the OpenShift Dedicated cluster installation.

The following roles are attached to the service account:

Expand
Table 2.4. IAM roles for osd-managed-admin
RoleConsole role nameDescription

Compute Admin

roles/compute.admin

Provides full control of all Compute Engine resources.

DNS Administrator

roles/dns.admin

Provides read-write access to all Cloud DNS resources.

Security Admin

roles/iam.securityAdmin

Security admin role, with permissions to get and set any IAM policy.

Storage Admin

roles/storage.admin

Grants full control of objects and buckets.

When applied to an individual bucket, control applies only to the specified bucket and objects within the bucket.

Service Account Admin

roles/iam.serviceAccountAdmin

Create and manage service accounts.

Service Account Key Admin

roles/iam.serviceAccountKeyAdmin

Create and manage (and rotate) service account keys.

Service Account User

roles/iam.serviceAccountUser

Run operations as the service account.

Role Administrator

roles/iam.roleAdmin

Provides access to all custom roles in the project.

2.4.2. IAM group and roles
Copiar enlace

The sd-sre-platform-gcp-access Google group is granted access to the Google Cloud project to allow Red Hat Site Reliability Engineering (SRE) access to the console for emergency troubleshooting purposes.

Note
  • For information regarding the roles within the sd-sre-platform-gcp-access group that are specific to clusters created when using the Workload Identity Federation (WIF) authentication type, see managed-cluster-config.
  • For information about creating a cluster using the Workload Identity Federation authentication type, see Additional resources.

The following roles are attached to the group:

Expand
Table 2.5. IAM roles for sd-sre-platform-gcp-access
RoleConsole role nameDescription

Compute Admin

roles/compute.admin

Provides full control of all Compute Engine resources.

Editor

roles/editor

Provides all viewer permissions, plus permissions for actions that modify state.

Organization Policy Viewer

roles/orgpolicy.policyViewer

Provides access to view Organization Policies on resources.

Project IAM Admin

roles/resourcemanager.projectIamAdmin

Provides permissions to administer IAM policies on projects.

Quota Administrator

roles/servicemanagement.quotaAdmin

Provides access to administer service quotas.

Role Administrator

roles/iam.roleAdmin

Provides access to all custom roles in the project.

Service Account Admin

roles/iam.serviceAccountAdmin

Create and manage service accounts.

Service Usage Admin

roles/serviceusage.serviceUsageAdmin

Ability to enable, disable, and inspect service states, inspect operations, and consume quota and billing for a consumer project.

Tech Support Editor

roles/cloudsupport.techSupportEditor

Provides full read-write access to technical support cases.

2.5. Provisioned Google Cloud Infrastructure
Copiar enlace

This is an overview of the provisioned Google Cloud components on a deployed OpenShift Dedicated cluster. For a more detailed listing of all provisioned Google Cloud components, see the OpenShift Container Platform documentation.

2.5.1. Compute instances
Copiar enlace

Google Cloud compute instances are required to deploy the control plane and data plane functions of OpenShift Dedicated in Google Cloud. Instance types might vary for control plane and infrastructure nodes depending on worker node count.

  • Single availability zone

    • 2 infra nodes (n2-highmem-4 machine type: 4 vCPU and 32 GB RAM)
    • 3 control plane nodes (n2-standard-8 machine type: 8 vCPU and 32 GB RAM)
    • 2 worker nodes (default n2-standard-4 machine type: 4 vCPU and 16 GB RAM)

  • Multiple availability zones

    • 3 infra nodes (n2-highmem-4 machine type: 4 vCPU and 32 GB RAM)
    • 3 control plane nodes (n2-standard-8 machine type: 8 vCPU and 32 GB RAM)
    • 3 worker nodes (default n2-standard-4 machine type: 4 vCPU and 16 GB RAM)

2.5.2. Storage
Copiar enlace

  • Infrastructure volumes:

    • 300 GB SSD persistent disk (deleted on instance deletion)
    • 110 GB Standard persistent disk (kept on instance deletion)

  • Worker volumes:

    • 300 GB SSD persistent disk (deleted on instance deletion)

  • Control plane volumes:

    • 350 GB SSD persistent disk (deleted on instance deletion)

2.5.3. VPC
Copiar enlace

Note

Installing a new OpenShift Dedicated cluster into a VPC that was automatically created by the installer for a different cluster is not supported.

  • Subnets: One master subnet for the control plane workloads and one worker subnet for all others. An additional subnet is required for Google Private Service Connect (PSC) when a private cluster is deployed using PSC.
  • Router tables: One global route table per VPC.
  • Internet gateways: One internet gateway per cluster.
  • NAT gateways: One master NAT gateway and one worker NAT gateway per cluster.

2.5.4. Services
Copiar enlace

For a list of services that must be enabled on a Google Cloud CCS cluster, see the Required API services table.

2.6. Google Cloud account limits
Copiar enlace

The OpenShift Dedicated cluster uses a number of Google Cloud components, but the default quotas do not affect your ability to install an OpenShift Dedicated cluster.

A standard OpenShift Dedicated cluster uses the following resources. Note that some resources are required only during the bootstrap process and are removed after the cluster deploys.

Note

3 subnets are required to deploy a private cluster with Private Service Connect (PSC). These subnets are a control plane subnet, a worker subnet, and a subnet used for the PSC service attachment with the purpose set to Private Service Connect.

48 vCPUs for a default multi-AZ OpenShift Dedicated cluster consists of 3 compute nodes (4 vCPUs each, one per availability zone), 3 infra nodes (4 vCPU each), and 3 control plane nodes (8 vCPU each).

40 vCPUs for a default single-AZ OpenShift Dedicated cluster consists of 2 compute nodes (4 vCPUs each), 2 infra nodes (4 vCPU each) and 3 control plane nodes (8 vCPU each).

Expand
Table 2.6. Google Cloud resources used in a default cluster
ServiceComponentLocationTotal resources requiredResources removed after bootstrap

Service account

IAM

Global

10

0

Firewall Rules

Compute

Global

11

1

Forwarding Rules

Compute

Global

2

0

In-use global IP addresses

Compute

Global

4

1

Health checks

Compute

Global

3

0

Images

Compute

Global

1

0

Networks

Compute

Global

2

0

Static IP addresses

Compute

Region

4

1

Routers

Compute

Global

1

0

Routes

Compute

Global

2

0

Subnetworks

Compute

Global

3

0

Target Pools

Compute

Global

3

0

CPUs

Compute

Region

48

4

Persistent Disk SSD (GB)

Compute

Region

1060

128

Note

If any of the quotas are insufficient during installation, the installation program displays an error that states both which quota was exceeded and the region.

Be sure to consider your actual cluster size, planned cluster growth, and any usage from other clusters that are associated with your account. The CPU, Static IP addresses, and Persistent Disk SSD (Storage) quotas are the ones that are most likely to be insufficient.

If you plan to deploy your cluster in one of the following regions, you will exceed the maximum storage quota and are likely to exceed the CPU quota limit:

  • asia-east2
  • asia-northeast2
  • asia-south1
  • australia-southeast1
  • europe-north1
  • europe-west2
  • europe-west3
  • europe-west6
  • northamerica-northeast1
  • southamerica-east1
  • us-west2

You can increase resource quotas from the Google Cloud console, but you might need to file a support ticket. Be sure to plan your cluster size early so that you can allow time to resolve the support ticket before you install your OpenShift Dedicated cluster.

2.7. Google Cloud firewall prerequisites
Copiar enlace

If you are using a firewall to control egress traffic from OpenShift Dedicated on Google Cloud, you must configure your firewall to grant access to certain domains and port combinations listed in the tables below. OpenShift Dedicated requires this access to provide a fully managed OpenShift service.

Important

Only OpenShift Dedicated on Google Cloud clusters deployed with Private Service Connect can use a firewall to control egress traffic.

Procedure

  1. Add the following URLs that are used to install and download packages and tools to an allowlist:

    Expand
    DomainPortFunction

    registry.redhat.io

    443

    Provides core container images.

    quay.io

    443

    Provides core container images.

    cdn01.quay.io

    cdn02.quay.io

    cdn03.quay.io

    cdn04.quay.io

    cdn05.quay.io

    cdn06.quay.io

    443

    Provides core container images.

    sso.redhat.com

    443

    Required. The https://console.redhat.com/openshift site uses authentication from sso.redhat.com to download the pull secret and use Red Hat SaaS solutions to facilitate monitoring of your subscriptions, cluster inventory, chargeback reporting, and so on.

    quayio-production-s3.s3.amazonaws.com

    443

    Provides core container images.

    pull.q1w2.quay.rhcloud.com

    443

    Provides core container images.

    registry.access.redhat.com

    443

    Hosts all the container images that are stored on the Red Hat Ecosytem Catalog. Additionally, the registry provides access to the odo CLI tool that helps developers build on OpenShift and Kubernetes.

    registry.connect.redhat.com

    443

    Required for all third-party images and certified Operators.

    console.redhat.com

    443

    Required. Allows interactions between the cluster and Red Hat OpenShift Cluster Manager to enable functionality, such as scheduling upgrades.

    sso.redhat.com

    443

    The https://console.redhat.com/openshift site uses authentication from sso.redhat.com.

    catalog.redhat.com

    443

    The registry.access.redhat.com and https://registry.redhat.io sites redirect through catalog.redhat.com.

  2. Add the following telemetry URLs to an allowlist:

    Expand
    DomainPortFunction

    cert-api.access.redhat.com

    443

    Required for telemetry.

    api.access.redhat.com

    443

    Required for telemetry.

    infogw.api.openshift.com

    443

    Required for telemetry.

    console.redhat.com

    443

    Required for telemetry and {red-hat-lightspeed}.

    observatorium-mst.api.openshift.com

    443

    Required for managed OpenShift-specific telemetry.

    observatorium.api.openshift.com

    443

    Required for managed OpenShift-specific telemetry.

    Note

    Managed clusters require the enabling of telemetry to allow Red Hat to react more quickly to problems, better support the customers, and better understand how product upgrades impact clusters. For more information about how remote health monitoring data is used by Red Hat, see About remote health monitoring in the Additional resources section.

  3. Add the following OpenShift Dedicated URLs to an allowlist:

    Expand
    DomainPortFunction

    mirror.openshift.com

    443

    Used to access mirrored installation content and images. This site is also a source of release image signatures.

    api.openshift.com

    443

    Used to check if updates are available for the cluster.

  4. Add the following site reliability engineering (SRE) and management URLs to an allowlist:

    Expand
    DomainPortFunction

    api.pagerduty.com

    443

    This alerting service is used by the in-cluster alertmanager to send alerts notifying Red Hat SRE of an event to take action on.

    events.pagerduty.com

    443

    This alerting service is used by the in-cluster alertmanager to send alerts notifying Red Hat SRE of an event to take action on.

    api.deadmanssnitch.com

    443

    Alerting service used by OpenShift Dedicated to send periodic pings that indicate whether the cluster is available and running.

    nosnch.in

    443

    Alerting service used by OpenShift Dedicated to send periodic pings that indicate whether the cluster is available and running.

    http-inputs-osdsecuritylogs.splunkcloud.com

    443

    Used by the splunk-forwarder-operator as a logging forwarding endpoint to be used by Red Hat SRE for log-based alerting.

    sftp.access.redhat.com (Recommended)

    22

    The SFTP server used by must-gather-operator to upload diagnostic logs to help troubleshoot issues with the cluster.

  5. Add the following URLs for the Google Cloud API endpoints to an allowlist:

    Expand
    DomainPortFunction

    accounts.google.com

    443

    Used to access your Google Cloud account.

    *.googleapis.com

    OR

    storage.googleapis.com

    iam.googleapis.com

    serviceusage.googleapis.com

    cloudresourcemanager.googleapis.com

    compute.googleapis.com

    oauth2.googleapis.com

    dns.googleapis.com

    iamcredentials.googleapis.com

    443

    Used to access Google Cloud services and resources. Review Cloud Endpoints in the Google Cloud documentation to determine the endpoints to allow for your APIs.

    Note

    Required Google APIs can be exposed using the Private Google Access restricted virtual IP (VIP), with the exception of the Service Usage API (serviceusage.googleapis.com). To circumvent this, you must expose the Service Usage API using the Private Google Access private VIP.

2.8. Additional resources
Copiar enlace

Volver arriba
Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2025 Red Hat